PAM authentication

Ed Maste emaste at
Sat Apr 16 00:27:06 EST 2005

On Fri, Apr 15, 2005 at 12:01:56PM +0200, S?ren Hansen wrote:

> I find it annoying that openssh takes active part in the authentication
> process when using PAM. Namely, SSH doesn't pass the user's password if
> the getpwent for the user returns NULL. 
> I use a clever PAM setup that allows nonexisting users to log in if they
> are succesfully authenticated against a Samba server. 
> When the user logs in for the first time, he's added to the user
> database and obviously only then will a call to getpwnam be succesful.
> I propse a configuration option to allow the authentication token to be
> passed to PAM even if the user has not pwentry.

You'll need to do more work than just passing in the token to PAM to
make this work, though.  Even if PAM returns success sshd still has
authctxt->valid = 0.  You do need the getpwnamallow() call before auth
though, to allow public key auth to work.

You could try passing the token to PAM even if valid = 0, then call
getpwnamallow() a second time if PAM auth succeeds to load the new
pw entry. 

Ed Maste
Sandvine Incorporated

More information about the openssh-unix-dev mailing list